Ewebeditor及fckeditor,90%的网站都是采用这两种编辑器作为产品或者内容的说明部分的编辑窗口,近日,一客户的外贸站点基本上快完工了,因客户产品分类多,故而让客户自己在后台添加产品,但是客户反映,在后台添加产品时,如果产品说明内容太过复杂的话,产品怎么也添加不入数据库中。
当时,我们也好生郁闷,这到底怎么回事,我们亲自测试后台添加任意的产品或者文字都能成功,偏偏他就不行,在网站搜索了相关的如“Ewebeditor 不能添加到数据库”,似乎找到了一点答案,因Ewebeditor自身没对单引号过滤,导致了添加不到数据库的问题。于是乎,我们把编辑器换成了fckeditor,可是还是不行,那是Ewebeditor及fckeditor自带的不完善导致的吗?为什么一个简单的单引号会引发不能添加到数据库呢,想到这里,我们想到了分析下入库代码,我们采用的是SQL=insert into product(title,content) values(' " request("title") "' ,' "request("content") " ' )的写法,于是我们找到客户当时COPY进编辑器里的内容,发现,果然这内容中包括有单引号,原来,正是由于客户提交到编辑器里的内容中含有单引号,导致我们的SQL语句变化了,相当于原来是SQL=insert into product(title,content) values('内容' ,'内容' )变成了SQL=insert into product(title,content) values(' 内容' ,' 内容'' ) ,我们细看就知道,就因为这content里多了个单引号,SQL语句发生的严重的写法错误,但是,我们也奇怪,既然他写法错误,为什么SQL语句不给出错误提示呢,竟然也会提示操作成功,想到这里,我们想到了2003年那几年,普遍的小黑客喜欢用的'or'='or'的后台入侵法,是乎正是利用了SQL执行时,没过滤单引号的BUG,导致SQL怎么执行,结果都返回真,呵呵,没想到,原以为写程序尽量图个简单明了,也是个错啊。好了,问题找到了,以后,凡是SQL入库前,我们都把字段过滤后再传值,就不会再出这样的问题了,下面是一个非常完善的SQL安全过滤函数,大家直接拿去就可以调用了。
复制代码 代码如下:
Function HTMLEncode(Str)
If Isnull(Str) Then
HTMLEncode = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"", 1, -1, 1)
Str = Replace(Str, """", "quot;", 1, -1, 1)
Str = Replace(Str,"","lt;", 1, -1, 1)
Str = Replace(Str,">","gt;", 1, -1, 1)
Str = Replace(Str, "script", "#115;cript", 1, -1, 0)
Str = Replace(Str, "SCRIPT", "#083;CRIPT", 1, -1, 0)
Str = Replace(Str, "Script", "#083;cript", 1, -1, 0)
Str = Replace(Str, "script", "#083;cript", 1, -1, 1)
Str = Replace(Str, "object", "#111;bject", 1, -1, 0)
Str = Replace(Str, "OBJECT", "#079;BJECT", 1, -1, 0)
Str = Replace(Str, "Object", "#079;bject", 1, -1, 0)
Str = Replace(Str, "object", "#079;bject", 1, -1, 1)
Str = Replace(Str, "applet", "#097;pplet", 1, -1, 0)
Str = Replace(Str, "APPLET", "#065;PPLET", 1, -1, 0)
Str = Replace(Str, "Applet", "#065;pplet", 1, -1, 0)
Str = Replace(Str, "applet", "#065;pplet", 1, -1, 1)
Str = Replace(Str, "[", "#091;")
Str = Replace(Str, "]", "#093;")
Str = Replace(Str, """", "", 1, -1, 1)
Str = Replace(Str, "=", "#061;", 1, -1, 1)
Str = Replace(Str, "'", "''", 1, -1, 1)
Str = Replace(Str, "select", "sel#101;ct", 1, -1, 1)
Str = Replace(Str, "execute", "#101xecute", 1, -1, 1)
Str = Replace(Str, "exec", "#101xec", 1, -1, 1)
Str = Replace(Str, "join", "jo#105;n", 1, -1, 1)
Str = Replace(Str, "union", "un#105;on", 1, -1, 1)
Str = Replace(Str, "where", "wh#101;re", 1, -1, 1)
Str = Replace(Str, "insert", "ins#101;rt", 1, -1, 1)
Str = Replace(Str, "delete", "del#101;te", 1, -1, 1)
Str = Replace(Str, "update", "up#100;ate", 1, -1, 1)
Str = Replace(Str, "like", "lik#101;", 1, -1, 1)
Str = Replace(Str, "drop", "dro#112;", 1, -1, 1)
Str = Replace(Str, "create", "cr#101;ate", 1, -1, 1)
Str = Replace(Str, "rename", "ren#097;me", 1, -1, 1)
Str = Replace(Str, "count", "co#117;nt", 1, -1, 1)
Str = Replace(Str, "chr", "c#104;r", 1, -1, 1)
Str = Replace(Str, "mid", "m#105;d", 1, -1, 1)
Str = Replace(Str, "truncate", "trunc#097;te", 1, -1, 1)
Str = Replace(Str, "nchar", "nch#097;r", 1, -1, 1)
Str = Replace(Str, "char", "ch#097;r", 1, -1, 1)
Str = Replace(Str, "alter", "alt#101;r", 1, -1, 1)
Str = Replace(Str, "cast", "ca#115;t", 1, -1, 1)
Str = Replace(Str, "exists", "e#120;ists", 1, -1, 1)
Str = Replace(Str,Chr(13),"br>", 1, -1, 1)
HTMLEncode = Replace(Str,"'","''", 1, -1, 1)
End Function
您可能感兴趣的文章:- Fckeditor XML Request error:internal server error (500) 解决方法小结
- FCKeditor编辑器添加图片上传功能及图片路径问题解决方法
- ie9后浏览器fckeditor无法上传图片、弹出浮层内容不显示的解决方法
- fckeditor在ie9中无法弹出对话框的解决方法(弹出层兼容问题)
- FCKeditor 图片上传进度条不动的解决方法
- asp.net+FCKeditor上传图片显示叉叉图片无法显示的问题的解决方法
- 浏览器执行history.go(-1) FCKeditor编辑框内显示html源代码的解决方法
- 伪静态下不能使用FCKeditor的解决方法
- FCKeditor 2.6 编码错误导致修改的内容出现乱码的解决方法
- FCKEDITOR 的高级功能和常见问题的解决方法
- jsp fckeditor 上传中文图片乱码问题的解决方法
- Asp.net FCKEditor 2.6.3 上传文件没有权限解决方法
- fckeditor部署到weblogic出现xml无法读取及样式不能显示问题的解决方法